search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.45k stars 730 forks source link

docker-slim doesn't work on macos aarch64 (arm on m1) with an aarch64 docker image #213

Open elliots opened 3 years ago

elliots commented 3 years ago

Expected Behavior

Run docker-slim against an aarch64 docker image, it runs.

Actual Behavior

Fails to run... log message:

cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'

The issue I think is that there is no arm build of docker-slim-sensor?

Steps to Reproduce the Problem

1. install using brew (or zip) 2. run docker-slim on an aarch64 image --- Specifications ================= - Version: latest - Platform: macos aarch64 --- Fix (build it yourself) ================= - git clone git clone git@github.com:docker-slim/docker-slim.git - cd docker-slim - GOOS=linux go build -o /usr/local/bin/docker-slim-sensor cmd/docker-slim-sensor/main.go
kcq commented 3 years ago

Thank you @elliots for opening the issue! Investigating... will update soon.

kcq commented 3 years ago

@elliots Wonder about the repro steps... You mention downloading zip as a potential way to repro. The mac zip on the github page shouldn't work on M1 because the main app isn't built for darwin arm64 and the sensor is not built for linux arm64. Curious what kind of error message(s) you got trying to use the downloaded zip.

The brew installer seems to have a build for M1, but I'm not quite sure how they do the build for their binary package installations and the formula doesn't explicitly set the architecture... Do you mind running file on the docker-slim and docker-slim-sensor you get with brew?

elliots commented 3 years ago

I tried both brew and zip, its possible it was a different error for the sensor with the zip and I didn't notice (x86 docker-slim will work fine though with rosetta)

The brew installed version actually is aarch64, which means that isn't the issue.

➜ file bin/docker-slim
bin/docker-slim: Mach-O 64-bit executable arm64

➜ file bin/docker-slim-sensor
bin/docker-slim-sensor: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=URIQ-ncu99UHova0s6Xx/rh_UfBbiVaSn5oIczBVV/H_9yEdLuDBvvheWRt6gB/-0tqU5DbG3U0QT-DrNnN, stripped

But when I run I get 

cmd=build info=param.http.probe message='using default probe' 
cmd=build info=exec message='updating continue-after mode to probe&exec' 
cmd=build state=started
cmd=build info=params tags='' target='atlas-magic' continue.mode='probe&exec' rt.as.user='true' keep.perms='true' 
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:d571b9324a16b9b07b962d65195aebacf2f5d7c405094555ec53da909d740563' size.bytes='2799916012' size.human='2.8 GB' 
cmd=build info=image.stack index='0' name='atlas-magic.fat:latest' id='sha256:d571b9324a16b9b07b962d65195aebacf2f5d7c405094555ec53da909d740563' 
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_90361_20210712045559' id='68e9111489530e9bca211df1836eda9cc11ebec8ba64c3691a3a97b5b65d1350' 
cmd=build info=cmd.startmonitor status='sent' 
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}' 
cmd=build state=exited code=-124 version=darwin|Transformer|1.36.1|latest|latest component=container.inspector

Some other things i just tried:

I then built just docker-slim again myself with go build -o /usr/local/bin/docker-slim cmd/docker-slim/main.go and it started working.

:/

My locally built binary:

✦ ➜ file /usr/local/bin/docker-slim
/usr/local/bin/docker-slim: Mach-O 64-bit executable arm64

Not sure what's going on. Maybe something to do with (self) signing?

kcq commented 3 years ago

That's a lot of useful information... Thank you for confirming the sensor architecture @elliots ! There's a chance that your local Go version is different from the Go version used to compile the sensor. What version of Go do you have installed on your machine?

elliots commented 3 years ago

What version of Go do you have installed on your machine?

➜ go version
go version go1.16.5 darwin/arm64
kcq commented 3 years ago

Thanks @elliots ! Can you also check the Go compiler version for the docker-slim-sensor you got with brew? go version ./docker-slim-sensor should do it (strings ./docker-slim | grep 'go1\.' might do it too).

elliots commented 3 years ago 
➜ go version /opt/homebrew/Cellar/docker-slim/1.36.1/bin/docker-slim-sensor 
/opt/homebrew/Cellar/docker-slim/1.36.1/bin/docker-slim-sensor: go1.16.5
kcq commented 3 years ago

Thanks @elliots ! The old(er) Go version theory doesn't seem like the reason... Let's try something different then :) I'll create an M1 build to see if that works.

kcq commented 3 years ago

@elliots try using this https://downloads.dockerslim.com/releases/1.36.1/dist_mac_m1.zip Let me know if it work or how it fails

elliots commented 3 years ago

@elliots try using this https://downloads.dockerslim.com/releases/1.36.1/dist_mac_m1.zip Let me know if it work or how it fails

That build worked.

ryanobjc commented 3 years ago

I've been having the same problem, and alas this build did not work for me, here is my output:

ryan@macbookprom1 dist_mac_m1 % ./docker-slim build --target rn:rust --tag rn:rust1 --http-probe=false docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community' docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS' docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions' cmd=build info=exec message='changing continue-after from probe to nothing because http-probe is disabled' cmd=build info=exec message='changing continue-after to enter' cmd=build state=started cmd=build info=params tags='rn:rust1' target='rn:rust' continue.mode='enter' rt.as.user='true' keep.perms='true' cmd=build state=image.inspection.start cmd=build info=image size.human='81 MB' id='sha256:9f438f6bdda481f499e7c1d798dd9bfe272a2651a2ac5adc4d1b26eaaa379b30' size.bytes='81130718' cmd=build info=image.stack id='sha256:9f438f6bdda481f499e7c1d798dd9bfe272a2651a2ac5adc4d1b26eaaa379b30' index='0' name='rn:rust' cmd=build state=image.inspection.done cmd=build state=container.inspection.start cmd=build info=container status='created' name='dockerslimk_35050_20210719162638' id='f810202199b2d55eabb186cea759157fc752db4ab550b5736be105ceb61895b8' cmd=build info=cmd.startmonitor status='sent' cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim@/pkg/app/sensor/monitors/fanotify/monitor.go}}' cmd=build state=exited code=-124 component=container.inspector version=darwin|Transformer|1.36.1-10-gc32a539|c32a5396dfb7240fb92f885987666bfdec9bbc9e|2021-07-12_05:40:12AM

kcq commented 3 years ago

@ryanobjc it's possible docker-slim is not picking up the right sensor volume and an older sensor version gets loaded. Try deleting all sensor volumes. You can find the sensor volumes with the docker volume ls command. Then you'll need to delete all volumes that start with docker-slim-sensor.

ryanobjc commented 3 years ago

Oh yes that was it, now it works, thanks :-)

kcq commented 3 years ago

Oh yes that was it, now it works, thanks :-)

The volume detection bug should've been addressed already... need to investigate why it's still happening.